Botnets And Alife
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Botnets And Alife

on

  • 2,926 views

 

Statistics

Views

Total Views
2,926
Views on SlideShare
2,925
Embed Views
1

Actions

Likes
0
Downloads
56
Comments
0

1 Embed 1

http://www.lmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Botnets And Alife Document Transcript

  • 1. Botnets and Alife Botnets and Alife Christopher Horne
  • 2. Botnets and Alife NTS222 Final Project- Botnets What is a botnet? Why does the subject occupy such a prominent place in the standardized, processed information that is currently labeled as ‘News’. Does it really present a threat to the average computer user, or is the phenomena simply part of the international corporate agenda? To begin with, I would like to quote SANS (www.sans.org/reading_room/malicious/1299.php): “Using thousands of zombie machines to launch distributed denial of service attack(s) against enterprise and government resources is becoming [a] dangerously common trend. Recently, there Is a growing trend towards attackers using Internet Relay Chat(IRC) networks for controlling & managing infected internet hosts.” I believe that the key word here is ‘resources’. Wikipedia says the term ‘botnet’ is “generally used to refer to a collection of compromised, or zombie computers running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet’s originator (aka ‘bot herder’} can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC ‘bots’. Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the IRC 1459 (http:/ietf.org/html/rfc 1459) (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer flows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.” A botnet may be viewed as a natural outcome of the commoditization of information. Biologist Thomas Ray, in a 1994 paper (Thomas S.Ray :Evolution, Complexity, Entropy, and
  • 3. Botnets and Alife Artificial Reality Physica D 75:239-263, 1994) described setting up an artificial life (alife) computer simulation called Tierra in which digital organisms competed for computer resources (CPU cycles, memory,etc). setting up an analogue for Darwin’s ‘survival of the fittest’. From an original ‘ancestor’ organism with a length of eighty instructions, mutants began to evolve with shorter instruction sets. At a certain point ‘parasites’ with only forty-five instructions appeared. Hosts developed defenses, parasites found new means of attack. Like botnets versus the legitimate internet ‘hosts’, the war was on. Later, ‘hyperparasites’ evolved, which could steal the replication of the parasites. Today, we can see the beginning of this latter process on the Internet, as it becomes evolutionarily ‘cheaper’ for one botnet owner to steal another’s network than to set up a new one. On the net, the security holes in the newly stolen botnet are often closed and the zombies given defensive abilities against other would-be botnet thieves. In the Artificial Life version of this struggle, the original parasites were driven to extinction, and a cooperative cycle evolved between groups of hyperparasites who relied on their neighbors for more efficient growth. A new breed of parasite soon evolved which took advantage of the cooperative cycle for its own ends. The end result was an open-ended evolutionary process. Ray’s study suggests the direction of the external form of botnets and their organization on the net. However, like the supposedly empirical stock market, reacting to laws of supply and demand, the missing factor is the human one. We also see a parallel phenomenon with corporations using tax breaks altruistically allocated by Government in order to generate new jobs and new factories being used to take over competitors and slash their employment. It is simply a more efficient use of resources. There are currently three common bot variants. WWW.honeynet.org calls them 1)Agobot/Phatbot/Forbot/XtremBot , 2)SDBot/Rbot/UrBot/UrXbot, and MiRC-based bots – GT-
  • 4. Botnets and Alife Bots. Agobots, the first category, is probably the best known. This is a C++ bot with cross- platform abilities. It is modularly structured, easy to add commands or vulnerability scanners to. Agobot employs sniffers, Alternate Data Streams, and rootkits to hide itself. It can detect debuggers used by forensic computer specialists and virtual machines such as VMWare, as well as set up and init script on Linux machines. SDBots are very active currently. It is written in C, sometimes poorly implemented, with a limited command set, and the implementation not particularly sophisticated, but apparently very popular with malware writers. As I will detail later in this paper, there is a sizeable constituency of bot-herders who are relatively unskilled and who simply download and implement ready-made malware programs from the Internet. I can make a broad generalization that these so-called ‘script kiddies’ are the largest consumers of SDBot-type programs. MiRC-based bots constitute most other implementations. They launch an instance of the MiRC chat-client with scripts and binaries. Many link to DLL files which add new features to the original script, such as using the scanners in the DLL scripts. After exploitation, bots use Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HTTP, and IRC extensions to transfer themselves to the hosts. Binaries connect to a master IRC server, using a dynamic DNS-generated IP address, so that the bot joins the rest of the botnet. The server accepts the bot as a client, and the bot is relayed commands to spread itself. The bot controller is able to authenticate himself to the IRC server in order to control the botnet. Once in control, the hacker can search for sensitive information, launch a Distributed Denial of Service(DDos) attack, enable keyloggers, look for account information or passwords, etc. TCP ports 445,137(UDP),139(NetBIOS and 135(RPC) are frequent carriers of botnet traffic. Port 445 (Microsoft DS Service) is used for resource sharing (Win 2k, XP, Server 2003).
  • 5. Botnets and Alife WWW.honeypot.net reports these ports account for more than 80% of all observed botnet traffic, with XP and 2000 being the most prevalent software to be affected. Windows 2000 is much more popular than XP for this purpose. Botnets vary in size from a few hundred machines to 50,000(www.honeynet.org/papers/bots). The large networks may use 5 IRC servers. Note that the servers themselves have been modified in order to make tracing them more difficult. Many are not IRC compliant, so that they are difficult to link to. Some skill in writing the same kinds of scripts the hackers use is often necessary to ‘rehack’ back into the servers. Routing of botnets is often quite baroque, with paths going through far-flung countries where extradition and prosecution of botmeisters is difficult or ill-defined. There is a certain irony that the IRC infrastructure used by botnets is often public in nature. IRC channels such as Efnet, Undernet and Dalnet provide stable, scalable infrastructure over which to launch attacks. IRC operates over a default port of 6667. IRC servers listen in a port range of 6000- 7000, although any TCP port can be used if so configured. The term “bot “ derives linguistically from “robot”, and reflects the “automaton” nature of the enterprise. It should be noted that “bots” have legitimate counterparts in the computer game and search engine fields, the former being an agent in the game imbued with a certain amount of artificial intelligence to perform actions in a quasi- independent fashion (such as an enemy soldier that takes evasive action when fired upon), and the latter in the search-engine “spiders” that go from website to website updating information for the central data fileservers of the search engines. Of course, the malware agents utilize spiders and artificial intelligence for their own nefarious purposes as well. The favored targets of botnets are servers with high bandwidth machines connected to the Internet by broadband. The resulting “pipe” is ideal for large DDos attacks
  • 6. Botnets and Alife on networks. It would be futile for the botmeister to order a massive attack, only to find out that half his botnet is shut down because the server he wished to channel the attack on is not in service mode. Consequently, servers that are reliable and connected on a 24 hour basis are very desirable. One highly unexplored defense against botnet attacks would be to build unreliability (or at least random reliability) into the Internet as a whole. Any avid reader of John Le Carre’s spy novels will know that randomness of behavior is a rudimentary but effective technique in maintaining spy networks, but in the real world a corporation or institution lives or dies by its reputation for consistent Quality of Service. Still, as the counterintelligence capabilities of the “White Hat” server defenders grows, as it inevitably will as part of the continuing battle between hackers and institutions, some variation of this tactic might prove effective for a time. Knowing that an attack is planned, certain pipes could be made to become temporarily unstable, disrupting coordinated attack efforts. At the very least, this would send the message that the operations of a botnet are known and are being monitored effectively (if indeed it becomes desirable to relay such knowledge to the attacker). Perhaps this tactic might be more useful in the hands of a ruthless botnet rival, or a rival who has been “turned” by the forces of good. As the American computer scientist Alan Kay put it, “The best way to predict the future is to invent it.” Finally, botnet operators prefer vectors that are geographically far away from their true position, run by people who are somewhat ignorant of network operations and management. Both of these factors result in a lower threshold of detectibility for the attacker. It is within the purview of IRC administrators to ban botnet operators from using their public channels. This action would swiftly end the game for IRC botnets, and therefore the operators are skilled at avoiding detection. Service providers like noip.com are used to dynamically map bots with multiple IRC servers, obfuscating the ‘signature’ of the botnet. Complex passwords are used to prevent other potential users from logging onto the network, and often the ‘handle’
  • 7. Botnets and Alife of the operator consists of only one or two letters. Survivability is a key element in the overall psychology of botmeisters. Like a terrorist ‘cell’ the discovery of individual bots or infected servers must not be linked back to the main organizational structure of the botnet, or like Ariadne’s thread, it will lead to the center of the Labrinth, where the minotaur will find itself destroyed. In this way, even if a server or host is banned from the IRC channel, the botnet will live on. We may fairly ask, what kind of data is worth this kind of effort to maintain a botnet? Certain intellectual property, such as movies, mp3s, software, and warez find a ready market in parts of the world where this output, at vastly lower prices than official channels charge. There is a huge commodity market for credit card numbers, proprietary data stolen from corporate laptops, medical data and the like. Botnets themselves have become a commodity. They are now bought and sold like bundles of home mortgages in the bond market, or rented to clients for a specific series of exploits . Certain businesses such as online casinos are regularly subject to extortion. Their business model relies on an ‘always on’ posture. Any disruption of service results in a breach of trust from gamblers, so they are particularly vulnerable to threats of DDos. The mountains of personal information available from personal computers, email, corporate networks and other sources means that botnets are a Phisher’s paradise. The level of detail involved means that emails can be individually crafted to appeal to specific victims. This results in more valuable personal data, such as social security numbers, but can also be used to leverage future attacks on networks. The botnet may thus be’ multitasked’, providing additional revenue in exchange for the use of the compromised network. One of the biggest and most profitable uses for botnets is in delivering spam. Bruce Schneier, the ubiquitous computer security maven, reported in his blog “Schneier on Schneier” Feb 2, 2006, “Ancheta and SoBe[botnet operators] signed up as affiliates in programs
  • 8. Botnets and Alife maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.” This adds quasi-legitimate business to the list of uses for botnets. It may be noted that Recently Google acquired the internet user tracking ad agency DoubleClick, raising the specter that this particular ‘nefarious’ activity may soon become all too legitimate. A very recent (April 25, 2007) article in Slashdot details a recent trend which is germane to Google’s business model. “Attackers apparently bought the rights to several high profile search terms, including searches that would return results for the Better Business Bureau, among others. The story notes that this Was bound to happen, given the way that Google structures sponsored links: ‘The bad guys behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer is about to access appears in the bottom left hand corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors can be taken first.’ “ (www.slashdot.org/index.pl?issue=20070425) Beyond the problems that currently exist with botnets, the greater nightmare may be that botnet operators acquire legitimate channels, such as Google/ Doubleclick that are trusted sources for millions of users. The profit potential of such a development would constitute a seismic shift in the dynamics of the web and the botnet industry, particularly in countries where the legal and regulatory environment is subject to bribes, lobbying, and other forms of persuasion. We may yet see the day when botnets are a ‘feature’ of the Internet. Recall my original thesis that botnets are essentially evolving digital organisms. They obtain their fuel from gathering data. Yet they are in the end simply byproducts of the people who run them, artifacts of the war between legitimate consumers, businesses and institutions and the hackers and crackers whose interests are intimately tied to their financial and professional goals.
  • 9. Botnets and Alife Who are these people? What are their motivations? Can we posit a ‘profile’ to help us to defeat them, or at least put up an effective defense? An interview with Washington Post security computer blogger Brian Krebs, botnet herder ‘Witlog’ claimed he did it for ‘fun’. Witlog’s specialty was installing adware-serving software. Krebs claimed he was making far in excess of $6000 to $10,000 per month. He built a botnet to 45,000 PCs before botnet hunters from the volunteer group Shadowserver caused his ISP to drop him. Witlog registered a new bot control channel (Witlog.net this time instead of Witlog.com), and began rebuilding the botnet. He is the modern version of a ‘script kiddy’, a semiskilled hacker who downloads scripts from the Internet and plays with them. It is quite possible that the money he makes is ‘silly money’, and that the motivation is the same as it always has been for this type of hacker- notoriety and the desire for respect from his peer group. It is not for nothing that exploits are commonly said to be ‘in the wild’. (http:blog.washingtonpost/securityfix.2006/03/post.html). If you’re a woodmouse (or a PC owner), it matters little whether you are eaten by a weasel like Witlog or a puma. Who are the pumas? It is at this juncture that the DNA of attackers changes. In his blog, The RedTapeChronicles”, Bob Sullivan writes about international gangs of hackers, “The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them.” The object of the fight is not physical, but to either take over someone else’s network or knock it off line. Sullivan writes: “When the Storm worm was released in Jan [07], it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack web sites run by the rival Russian Warezov gang…… The sites had been set up as communications hubs for Warezov-hijacked computers. Without them, the zombie computers did not know where to attack.” (http://blog.washingtonpost.com/securityfix/2006/03/post.html. ) The point is that botnets are now a business. In business, it’s important to advertise yourself
  • 10. Botnets and Alife as the leader. Sullivan quotes Jose Nazario, a security researcher at Arbor Networks, “A single denial-of-service attack on a gambling website can cost $50,000 a day.” Sullivan puts the number of infected computers at perhaps 100 million, although it is hard to see how anyone could come up with a truly accurate estimate. He claims the top gangs are in Russia, Brazil, and Eastern Europe. Sullivan quotes David Marcus, security research and communications manager at MacAfee: “ Bot herders are typically young-perhaps 18-25—often only a little bit older than a teenage hacker. They are nearly always men. And they tend to live in an area where traditional, big money computing jobs are hard to find. [The gangs] watch for bright kids and they start them on small tasks, like, ‘Find me 100 passwords and I’ll give you 1000 rubles.” Marcus said that more aggressive recruitment sometimes involves actually sending recruits to college. We have, I think, sufficiently demonstrated the nature and scope of the botnet problem. The next logical step is to ask what to do about it. As long as the owners of PC’s which are subject to recruitment into botnets are not motivated to take proactive measures, the existence Of botnets will be a given. PC owners are affected by spam, of course, as is everyone else on the Internet, but the very ubiquitousness of the phenomena manifests in a certain resigned attitude. Beyond that, the average user might notice a certain amount of slowdown, and personal data will be compromised, but we can expect no concerted effort by consumers towards preventing their machines from being affected. A great deal of good could come from fostering awareness of the problem, but efforts to raise consciousness about the operation of computers run exactly counter to the intentions of large corporate interests such as Microsoft, who advertise convenience and operating systems that ‘just work’. The popularity of computer science in the United States has declined markedly since corporations decided that their knowledge assets should have a basis in cheaper countries such as India and China. Computer Science is hard
  • 11. Botnets and Alife work, and more lucrative employment futures are seen to be elsewhere by candidates for higher learning. That leaves the ISP’s and network administrators, plus the government and vendors of security products. The ISP’s can ban a domain name from their services, but we have seen in the case of ‘Witlog’, such strictures are easily circumvented. IRC channel administrators are also subject to circumvention. The government (in this country) Has chosen to increase penalties after the perpetrators have been caught- if they can be caught. Security product vendors stand to make a great deal of money if they can come up with effective anti-bot products. As an example, McAfee launched a ‘bot-killing system’ in 2006. Techworld reported, “Unlike conventional DDos systems based on the statistical analysis of traffic, the first Layer of the new Advanced Botnet Protection(ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependant on whether or not it is ‘complete’.” The system depends on the concept of SYN cookies, not a new idea. SYN cookies amount to particular choices in initial TCP sequence numbers by servers. This defends against SYN flood attacks by avoiding dropping connections as the SYN queue fills up- the server acts as if the queue had been enlarged. What can the administrator do? Most of the existing approaches are defensive in nature. A bot needs a vulnerability or misconfiguration to exploit. In theory, if there were no vulnerabilities, the entire attack would fail. But much can be done in ensuring that the network is properly patched and configured, and IDS have signatures to protect against common exploits. The problem is that signatures need to be updated at a dizzying pace to keep up. Another approach is to interrupt communications between botnets and their herders. This can be accomplished by blocking the bots from communicating on the IRC channel. A firewall in some cases can block these communications by filtering outgoing traffic, although such protocols as HTTP may be impossible to block without destroying the functionality of the
  • 12. Botnets and Alife network itself. Covert channels and encrypted data streams may also be hard to detect and stop, although protocol anomalies make it technically possible in some instances. Other solutions such as honeypots are also feasible, but if not properly configured, can actually be used by an attacker to break into the system. The problem of bots is technically not solveable at this time. If my thesis about the resemblance of botnet evolution to artificial life evolution is correct, the real problem may not even have arisen yet. In biological life, a plague continues until it becomes inefficient to infect hosts, because there are not enough left to infect, and the ones who are left have developed natural immunities. It is doubtful that the entire Internet will face extinction because of botnets or their successors, because without the Internet the vector that produces profit for the botnet owners will disappear. At a certain point, therefore, a balance will be struck, with a usable Internet laced with botnets. The question is, how much power will the botnet owners have?
  • 13. Botnets and Alife References www.itbsecurity.com/pr/13677 www.wired.com/wired/ archive/14.11/botnet_pr.html http://ddanchev.blogsopt.com/2006/02/war-against-botnets-and-ddos-attack.html http://en.wikipedia.org/wikiSYN_cookie www.stanford.edu/~stinson/paper_notes/bots/botnet_tracking.txt www.ethicalhacker.net/content/view/63/2/ http://blog.washingtonpost.com/securityfix/2006/03/post.html www.schneier.com/blog/archives/2006/02/froprofit_botne.html www.theregister.co.uk/2004/10/20/phishing_botnet/print.html www.enterprisenetworkingpalnet.com/netsecur/article.php/3504801 www.rso.cornell.edu/scitech/archive/94fal/attfe.html www.honeypot.org/papers/bots http://redtape.msnbc.com/2007/04/virus_gang_warf.html physica D, 75: 239-263, 1994 isc.sans.org/diary.html?storyID=2612 www.sans.org/readingroom/whitepapers/malicious/1279.php www.slashdot.org/index.pl?issue=20070425
  • 14. Botnets and Alife